Multi-instance architecture supporting out-of-band delivery of configuration data

ABSTRACT

An example embodiment may include a central computational instance, as well as a plurality of computational instances that are configured to execute a software module. The central instance may be configured to deliver updates to configuration data for the software module at a plurality of release times. The embodiment may involve a computing device disposed within a particular instance of the plurality of instances transmitting a request for an out-of-band delivery of the configuration data, where the out-of-band delivery is to be made during a time other than any of the release times, receiving the configuration data from source field(s) of a central database of the central instance, and writing the configuration data to destination field(s) of a local database of the particular instance. The embodiment may also involve executing the software module according to the configuration data stored in the destination field(s).

BACKGROUND

A remote network management platform may take the form of a hostedenvironment that provides application Platform-as-a-Service (aPaaS)services to users, particularly to operators of a managed network suchas enterprises. Such services may take the form of web-based portalsand/or software applications that enterprises or other entities (as wellas both internal and external users thereof) may access throughcomputational instances of the remote network management platform.

SUMMARY

The software applications through which the remote network managementplatform provides services may be higher-level applications, or“software modules,” deployed within or involving a computationalinstance of the remote network management platform. Each such softwaremodule may have associated configuration data that defines how thesoftware module operates, is accessed, is designed, and/or provides aparticular service. For example, configuration data for a softwaremodule that provides a software asset management service may includehardware attributes, software attributes, license information, or otherinformation that facilitates discovery, software entitlement, and/orother operations relating to software asset management performed by theenterprise. As another example, configuration data for a software modulethat provides a security operations management service may include virusinformation, security policies, and/or other parameters related todetecting, identifying, and handling security threats. Other, moregeneral, types of configuration data are possible as well, which couldfacilitate provision of one or more such services.

Every so often, the remote network management platform may update thesoftware module, and thereby update the configuration data associatedwith the software module, through delivery of new software releases forthe software module and/or patches to new or previous software releases.Typically, the remote network management platform may deliver theseupdates at particular release times.

However, the remote network management platform may update theconfiguration data associated with the software module more frequentlythan updates to the software module are delivered. For example, theremote network management platform may add, delete, or modify theconfiguration data for the software module during development of arelease or patch for the software module, but may not deliver such arelease or patch until the release or patch is finalized and tested. Assuch, existing software-module-update delivery schemes may present adelay between when configuration data is updated and when users haveaccess to that latest update to the configuration data. Users may berequired to wait until one of the plurality of release times in order toupdate the software module with the latest configuration data. This maypresent various issues, particularly for enterprises and users whoseoperations may be helped or improved by access to the latestconfiguration data, but whom are unable to access such configurationdata as-needed.

Therefore, in accordance with the present disclosure, the remote networkmanagement platform may be configured to support “out-of-band” deliveryof configuration data to enterprise-dedicated computationalinstances—namely, delivery of configuration data that is made during atime other than any of the particular release times noted above. Tofacilitate this, a central computational instance of the remote networkmanagement platform may be dedicated for storing configuration data fora software module and may be configured to serve requests forout-of-band delivery of the configuration data. As such, anenterprise-dedicated computational instance that is configured toexecute the software module may transmit a request for out-of-banddelivery of the configuration data, receive the latest configurationdata from the central computational instance, and then write thatconfiguration data to a local database. The enterprise-dedicatedcomputational instance may then execute the software module with thelatest configuration data.

Accordingly, a first example embodiment may involve determining, by acomputing device disposed within a particular computational instance ofa remote network management platform, one or more source fields of asource table within a central database of a central computationalinstance of the remote network management platform, the one or moresource fields containing configuration data for a software module. Thesoftware module, when executed, may enable access to a softwaremanagement service provided by the remote network management platform.The central computational instance may be configured to deliver updatesto the software module, including updates to the configuration data, ata plurality of release times. The particular computational instance maybe one of a plurality of computational instances of the remote networkmanagement platform that are associated with respective managed networksand configured to execute the software module. A local database may bedisposed within the particular computational instance.

The first example embodiment may also involve transmitting, by thecomputing device, a request for an out-of-band delivery of theconfiguration data contained in the one or more source fields. Theout-of-band delivery may be made during a time other than any of theplurality of release times.

The first example embodiment may also involve determining, by thecomputing device, one or more destination fields of a destination tablewithin the local database of the particular computational instance.

The first example embodiment may also involve receiving, by thecomputing device, the configuration data from the one or more sourcefields and writing the configuration data to the one or more destinationfields.

The first example embodiment may also involve executing, by thecomputing device, the software module in accordance with theconfiguration data stored in the one or more destination fields.

In a second example embodiment, an article of manufacture may include anon-transitory computer-readable medium, having stored thereon programinstructions that, upon execution by a computing system, cause thecomputing system to perform operations in accordance with the firstexample embodiment.

In a third example embodiment, a computing system may include at leastone processor, as well as memory and program instructions. The programinstructions may be stored in the memory, and upon execution by the atleast one processor, cause the computing system to perform operations inaccordance with the first example embodiment.

In a fourth example embodiment, a system may include various means forcarrying out each of the operations of the first example embodiment.

These as well as other embodiments, aspects, advantages, andalternatives will become apparent to those of ordinary skill in the artby reading the following detailed description, with reference whereappropriate to the accompanying drawings. Further, this summary andother descriptions and figures provided herein are intended toillustrate embodiments by way of example only and, as such, thatnumerous variations are possible. For instance, structural elements andprocess steps can be rearranged, combined, distributed, eliminated, orotherwise changed, while remaining within the scope of the embodimentsas claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a schematic drawing of a computing device, inaccordance with example embodiments.

FIG. 2 illustrates a schematic drawing of a server device cluster, inaccordance with example embodiments.

FIG. 3 depicts a remote network management architecture, in accordancewith example embodiments.

FIG. 4 depicts a communication environment involving a remote networkmanagement architecture, in accordance with example embodiments.

FIG. 5A depicts another communication environment involving a remotenetwork management architecture, in accordance with example embodiments.

FIG. 5B is a flow chart, in accordance with example embodiments.

FIG. 6 depicts another communication environment involving a remotenetwork management architecture, in accordance with example embodiments.

FIG. 7 depicts another communication environment involving the remotenetwork management architecture of FIG. 6, in accordance with exampleembodiments.

FIG. 8 is a flow chart, in accordance with example embodiments.

DETAILED DESCRIPTION

Example methods, devices, and systems are described herein. It should beunderstood that the words “example” and “exemplary” are used herein tomean “serving as an example, instance, or illustration.” Any embodimentor feature described herein as being an “example” or “exemplary” is notnecessarily to be construed as preferred or advantageous over otherembodiments or features unless stated as such. Thus, other embodimentscan be utilized and other changes can be made without departing from thescope of the subject matter presented herein.

Accordingly, the example embodiments described herein are not meant tobe limiting. It will be readily understood that the aspects of thepresent disclosure, as generally described herein, and illustrated inthe figures, can be arranged, substituted, combined, separated, anddesigned in a wide variety of different configurations. For example, theseparation of features into “client” and “server” components may occurin a number of ways.

Further, unless context suggests otherwise, the features illustrated ineach of the figures may be used in combination with one another. Thus,the figures should be generally viewed as component aspects of one ormore overall embodiments, with the understanding that not allillustrated features are necessary for each embodiment.

Additionally, any enumeration of elements, blocks, or steps in thisspecification or the claims is for purposes of clarity. Thus, suchenumeration should not be interpreted to require or imply that theseelements, blocks, or steps adhere to a particular arrangement or arecarried out in a particular order.

I. Introduction

A large enterprise is a complex entity with many interrelatedoperations. Some of these are found across the enterprise, such as humanresources (HR), supply chain, information technology (IT), and finance.However, each enterprise also has its own unique operations that provideessential capabilities and/or create competitive advantages.

To support widely-implemented operations, enterprises typically useoff-the-shelf software applications, such as customer relationshipmanagement (CRM) and human capital management (HCM) packages. However,they may also need custom software applications to meet their own uniquerequirements. A large enterprise often has dozens or hundreds of thesecustom software applications. Nonetheless, the advantages provided bythe embodiments herein are not limited to large enterprises and may beapplicable to an enterprise, or any other type of organization, of anysize.

Many such software applications are developed by individual departmentswithin the enterprise. These range from simple spreadsheets tocustom-built software tools and databases. But the proliferation ofsiloed custom software applications has numerous disadvantages. Itnegatively impacts an enterprise's ability to run and grow its business,innovate, and meet regulatory requirements. The enterprise may find itdifficult to integrate, streamline and enhance its operations due tolack of a single system that unifies its subsystems and data.

To efficiently create custom applications, enterprises would benefitfrom a remotely-hosted application platform that eliminates unnecessarydevelopment complexity. The goal of such a platform would be to reducetime-consuming, repetitive application development tasks so thatsoftware engineers and individuals in other roles can focus ondeveloping unique, high-value features.

In order to achieve this goal, the concept of Application Platform as aService (aPaaS) is introduced, to intelligently automate workflowsthroughout the enterprise. An aPaaS system is hosted remotely from theenterprise, but may access data, applications, and services within theenterprise by way of secure connections. Such an aPaaS system may have anumber of advantageous capabilities and characteristics. Theseadvantages and characteristics may be able to improve the enterprise'soperations and workflow for IT, HR, CRM, customer service, applicationdevelopment, and security.

The aPaaS system may support development and execution ofmodel-view-controller (MVC) applications. MVC applications divide theirfunctionality into three interconnected parts (model, view, andcontroller) in order to isolate representations of information from themanner in which the information is presented to the user, therebyallowing for efficient code reuse and parallel development. Theseapplications may be web-based, and offer create, read, update, delete(CRUD) capabilities. This allows new applications to be built on acommon application infrastructure.

The aPaaS system may support standardized application components, suchas a standardized set of widgets for graphical user interface (GUI)development. In this way, applications built using the aPaaS system havea common look and feel. Other software components and modules may bestandardized as well. In some cases, this look and feel can be brandedor skinned with an enterprise's custom logos and/or color schemes.

The aPaaS system may support the ability to configure the behavior ofapplications using metadata. This allows application behaviors to berapidly adapted to meet specific needs. Such an approach reducesdevelopment time and increases flexibility. Further, the aPaaS systemmay support GUI tools that facilitate metadata creation and management,thus reducing errors in the metadata.

The aPaaS system may support clearly-defined interfaces betweenapplications, so that software developers can avoid unwantedinter-application dependencies. Thus, the aPaaS system may implement aservice layer in which persistent state information and other data isstored.

The aPaaS system may support a rich set of integration features so thatthe applications thereon can interact with legacy applications andthird-party applications. For instance, the aPaaS system may support acustom employee-onboarding system that integrates with legacy HR, IT,and accounting systems.

The aPaaS system may support enterprise-grade security. Furthermore,since the aPaaS system may be remotely hosted, it should also utilizesecurity procedures when it interacts with systems in the enterprise orthird-party networks and services hosted outside of the enterprise. Forexample, the aPaaS system may be configured to share data amongst theenterprise and other parties to detect and identify common securitythreats.

Other features, functionality, and advantages of an aPaaS system mayexist. This description is for purpose of example and is not intended tobe limiting.

As an example of the aPaaS development process, a software developer maybe tasked to create a new application using the aPaaS system. First, thedeveloper may define the data model, which specifies the types of datathat the application uses and the relationships therebetween. Then, viaa GUI of the aPaaS system, the developer enters (e.g., uploads) the datamodel. The aPaaS system automatically creates all of the correspondingdatabase tables, fields, and relationships, which can then be accessedvia an object-oriented services layer.

In addition, the aPaaS system can also build a fully-functional MVCapplication with client-side interfaces and server-side CRUD logic. Thisgenerated application may serve as the basis of further development forthe user. Advantageously, the developer does not have to spend a largeamount of time on basic application functionality. Further, since theapplication may be web-based, it can be accessed from anyInternet-enabled client device. Alternatively or additionally, a localcopy of the application may be able to be accessed, for instance, whenInternet service is not available.

The aPaaS system may also support a rich set of pre-definedfunctionality that can be added to applications. These features includesupport for searching, email, templating, workflow design, reporting,analytics, social media, scripting, mobile-friendly output, andcustomized GUIs.

The following embodiments describe architectural and functional aspectsof example aPaaS systems, as well as the features and advantagesthereof.

II. Example Computing Devices and Cloud-Based Computing Environments

FIG. 1 is a simplified block diagram exemplifying a computing device100, illustrating some of the components that could be included in acomputing device arranged to operate in accordance with the embodimentsherein. Computing device 100 could be a client device (e.g., a deviceactively operated by a user), a server device (e.g., a device thatprovides computational services to client devices), or some other typeof computational platform. Some server devices may operate as clientdevices from time to time in order to perform particular operations, andsome client devices may incorporate server features.

In this example, computing device 100 includes processor 102, memory104, network interface 106, and an input/output unit 108, all of whichmay be coupled by a system bus 110 or a similar mechanism. In someembodiments, computing device 100 may include other components and/orperipheral devices (e.g., detachable storage, printers, and so on).

Processor 102 may be one or more of any type of computer processingelement, such as a central processing unit (CPU), a co-processor (e.g.,a mathematics, graphics, or encryption co-processor), a digital signalprocessor (DSP), a network processor, and/or a form of integratedcircuit or controller that performs processor operations. In some cases,processor 102 may be one or more single-core processors. In other cases,processor 102 may be one or more multi-core processors with multipleindependent processing units. Processor 102 may also include registermemory for temporarily storing instructions being executed and relateddata, as well as cache memory for temporarily storing recently-usedinstructions and data.

Memory 104 may be any form of computer-usable memory, including but notlimited to random access memory (RAM), read-only memory (ROM), andnon-volatile memory (e.g., flash memory, hard disk drives, solid statedrives, compact discs (CDs), digital video discs (DVDs), and/or tapestorage). Thus, memory 104 represents both main memory units, as well aslong-term storage. Other types of memory may include biological memory.

Memory 104 may store program instructions and/or data on which programinstructions may operate. By way of example, memory 104 may store theseprogram instructions on a non-transitory, computer-readable medium, suchthat the instructions are executable by processor 102 to carry out anyof the methods, processes, or operations disclosed in this specificationor the accompanying drawings.

As shown in FIG. 1, memory 104 may include firmware 104A, kernel 104B,and/or applications 104C. Firmware 104A may be program code used to bootor otherwise initiate some or all of computing device 100. Kernel 104Bmay be an operating system, including modules for memory management,scheduling and management of processes, input/output, and communication.Kernel 104B may also include device drivers that allow the operatingsystem to communicate with the hardware modules (e.g., memory units,networking interfaces, ports, and busses), of computing device 100.Applications 104C may be one or more user-space software programs, suchas web browsers or email clients, as well as any software libraries usedby these programs. Memory 104 may also store data used by these andother programs and applications.

Network interface 106 may take the form of one or more wirelineinterfaces, such as Ethernet (e.g., Fast Ethernet, Gigabit Ethernet, andso on). Network interface 106 may also support communication over one ormore non-Ethernet media, such as coaxial cables or power lines, or overwide-area media, such as Synchronous Optical Networking (SONET) ordigital subscriber line (DSL) technologies. Network interface 106 mayadditionally take the form of one or more wireless interfaces, such asIEEE 802.11 (Wifi), BLUETOOTH®, global positioning system (GPS), or awide-area wireless interface. However, other forms of physical layerinterfaces and other types of standard or proprietary communicationprotocols may be used over network interface 106. Furthermore, networkinterface 106 may comprise multiple physical interfaces. For instance,some embodiments of computing device 100 may include Ethernet,BLUETOOTH®, and Wifi interfaces.

Input/output unit 108 may facilitate user and peripheral deviceinteraction with example computing device 100. Input/output unit 108 mayinclude one or more types of input devices, such as a keyboard, a mouse,a touch screen, and so on. Similarly, input/output unit 108 may includeone or more types of output devices, such as a screen, monitor, printer,and/or one or more light emitting diodes (LEDs). Additionally oralternatively, computing device 100 may communicate with other devicesusing a universal serial bus (USB) or high-definition multimediainterface (HDMI) port interface, for example.

In some embodiments, one or more instances of computing device 100 maybe deployed to support an aPaaS architecture. The exact physicallocation, connectivity, and configuration of these computing devices maybe unknown and/or unimportant to client devices. Accordingly, thecomputing devices may be referred to as “cloud-based” devices that maybe housed at various remote data center locations.

FIG. 2 depicts a cloud-based server cluster 200 in accordance withexample embodiments. In FIG. 2, operations of a computing device (e.g.,computing device 100) may be distributed between server devices 202,data storage 204, and routers 206, all of which may be connected bylocal cluster network 208. The number of server devices 202, datastorages 204, and routers 206 in server cluster 200 may depend on thecomputing task(s) and/or applications assigned to server cluster 200.

For example, server devices 202 can be configured to perform variouscomputing tasks of computing device 100. Thus, computing tasks can bedistributed among one or more of server devices 202. To the extent thatthese computing tasks can be performed in parallel, such a distributionof tasks may reduce the total time to complete these tasks and return aresult. For purpose of simplicity, both server cluster 200 andindividual server devices 202 may be referred to as a “server device.”This nomenclature should be understood to imply that one or moredistinct server devices, data storage devices, and cluster routers maybe involved in server device operations.

Data storage 204 may be data storage arrays that include drive arraycontrollers configured to manage read and write access to groups of harddisk drives and/or solid state drives. The drive array controllers,alone or in conjunction with server devices 202, may also be configuredto manage backup or redundant copies of the data stored in data storage204 to protect against drive failures or other types of failures thatprevent one or more of server devices 202 from accessing units ofcluster data storage 204. Other types of memory aside from drives may beused.

Routers 206 may include networking equipment configured to provideinternal and external communications for server cluster 200. Forexample, routers 206 may include one or more packet-switching and/orrouting devices (including switches and/or gateways) configured toprovide (i) network communications between server devices 202 and datastorage 204 via cluster network 208, and/or (ii) network communicationsbetween the server cluster 200 and other devices via communication link210 to network 212.

Additionally, the configuration of cluster routers 206 can be based atleast in part on the data communication requirements of server devices202 and data storage 204, the latency and throughput of the localcluster network 208, the latency, throughput, and cost of communicationlink 210, and/or other factors that may contribute to the cost, speed,fault-tolerance, resiliency, efficiency and/or other design goals of thesystem architecture.

As a possible example, data storage 204 may include any form ofdatabase, such as a structured query language (SQL) database. Varioustypes of data structures may store the information in such a database,including but not limited to tables, arrays, lists, trees, and tuples.Furthermore, any databases in data storage 204 may be monolithic ordistributed across multiple physical devices.

Server devices 202 may be configured to transmit data to and receivedata from cluster data storage 204. This transmission and retrieval maytake the form of SQL queries or other types of database queries, and theoutput of such queries, respectively. Additional text, images, video,and/or audio may be included as well. Furthermore, server devices 202may organize the received data into web page representations. Such arepresentation may take the form of a markup language, such as thehypertext markup language (HTML), the extensible markup language (XML),or some other standardized or proprietary format. Moreover, serverdevices 202 may have the capability of executing various types ofcomputerized scripting languages, such as but not limited to Perl,Python, PHP Hypertext Preprocessor (PHP), Active Server Pages (ASP),JavaScript, and so on. Computer program code written in these languagesmay facilitate the providing of web pages to client devices, as well asclient device interaction with the web pages.

III. Example Remote Network Management Architecture

FIG. 3 depicts a remote network management architecture, in accordancewith example embodiments. This architecture includes three maincomponents, managed network 300, remote network management platform 320,and third-party networks 340, all connected by way of Internet 350.

Managed network 300 may be, for example, an enterprise network used by abusiness for computing and communications tasks, as well as storage ofdata. Thus, managed network 300 may include various client devices 302,server devices 304, routers 306, virtual machines 308, firewall 310,and/or proxy servers 312. Client devices 302 may be embodied bycomputing device 100, server devices 304 may be embodied by computingdevice 100 or server cluster 200, and routers 306 may be any type ofrouter, switch, or gateway.

Virtual machines 308 may be embodied by one or more of computing device100 or server cluster 200. In general, a virtual machine is an emulationof a computing system, and mimics the functionality (e.g., processor,memory, and communication resources) of a physical computer. Onephysical computing system, such as server cluster 200, may support up tothousands of individual virtual machines. In some embodiments, virtualmachines 308 may be managed by a centralized server device orapplication that facilitates allocation of physical computing resourcesto individual virtual machines, as well as performance and errorreporting. Enterprises often employ virtual machines in order toallocate computing resources in an efficient, as needed fashion.Providers of virtualized computing systems include VMWARE® andMICROSOFT®.

Firewall 310 may be one or more specialized routers or server devicesthat protect managed network 300 from unauthorized attempts to accessthe devices, applications, and services therein, while allowingauthorized communication that is initiated from managed network 300.Firewall 310 may also provide intrusion detection, web filtering, virusscanning, application-layer gateways, and other applications orservices. In some embodiments not shown in FIG. 3, managed network 300may include one or more virtual private network (VPN) gateways withwhich it communicates with remote network management platform 320 (seebelow).

Managed network 300 may also include one or more proxy servers 312. Anembodiment of proxy servers 312 may be a server device that facilitatescommunication and movement of data between managed network 300, remotenetwork management platform 320, and third-party networks 340. Inparticular, proxy servers 312 may be able to establish and maintainsecure communication sessions with one or more computational instancesof remote network management platform 320. By way of such a session,remote network management platform 320 may be able to discover andmanage aspects of the architecture and configuration of managed network300 and its components. Possibly with the assistance of proxy servers312, remote network management platform 320 may also be able to discoverand manage aspects of third-party networks 340 that are used by managednetwork 300.

Firewalls, such as firewall 310, typically deny all communicationsessions that are incoming by way of Internet 350, unless such a sessionwas ultimately initiated from behind the firewall (i.e., from a deviceon managed network 300) or the firewall has been explicitly configuredto support the session. By placing proxy servers 312 behind firewall 310(e.g., within managed network 300 and protected by firewall 310), proxyservers 312 may be able to initiate these communication sessions throughfirewall 310. Thus, firewall 310 might not have to be specificallyconfigured to support incoming sessions from remote network managementplatform 320, thereby avoiding potential security risks to managednetwork 300.

In some cases, managed network 300 may consist of a few devices and asmall number of networks. In other deployments, managed network 300 mayspan multiple physical locations and include hundreds of networks andhundreds of thousands of devices. Thus, the architecture depicted inFIG. 3 is capable of scaling up or down by orders of magnitude.

Furthermore, depending on the size, architecture, and connectivity ofmanaged network 300, a varying number of proxy servers 312 may bedeployed therein. For example, each one of proxy servers 312 may beresponsible for communicating with remote network management platform320 regarding a portion of managed network 300. Alternatively oradditionally, sets of two or more proxy servers may be assigned to sucha portion of managed network 300 for purposes of load balancing,redundancy, and/or high availability.

Remote network management platform 320 is a hosted environment thatprovides aPaaS services to users, particularly to the operators ofmanaged network 300. These services may take the form of web-basedportals, for instance. Thus, a user can securely access remote networkmanagement platform 320 from, for instance, client devices 302, orpotentially from a client device outside of managed network 300. By wayof the web-based portals, users may design, test, and deployapplications, generate reports, view analytics, and perform other tasks.

As shown in FIG. 3, remote network management platform 320 includes fourcomputational instances 322, 324, 326, and 328. Each of these instancesmay represent a set of web portals, services, and applications (e.g., awholly-functioning aPaaS system) available to a particular customer. Insome cases, a single customer may use multiple computational instances.For example, managed network 300 may be an enterprise customer of remotenetwork management platform 320, and may use computational instances322, 324, and 326. The reason for providing multiple instances to onecustomer is that the customer may wish to independently develop, test,and deploy its applications and services. Thus, computational instance322 may be dedicated to application development related to managednetwork 300, computational instance 324 may be dedicated to testingthese applications, and computational instance 326 may be dedicated tothe live operation of tested applications and services. A computationalinstance may also be referred to as a hosted instance, a remoteinstance, a customer instance, or by some other designation.

The multi-instance architecture of remote network management platform320 is in contrast to conventional multi-tenant architectures, overwhich multi-instance architectures have several advantages. Inmulti-tenant architectures, data from different customers (e.g.,enterprises) are comingled in a single database. While these customers'data are separate from one another, the separation is enforced by thesoftware that operates the single database. As a consequence, a securitybreach in this system may impact all customers' data, creatingadditional risk, especially for entities subject to governmental,healthcare, and/or financial regulation. Furthermore, any databaseoperations that impact one customer will likely impact all customerssharing that database. Thus, if there is an outage due to hardware orsoftware errors, this outage affects all such customers. Likewise, ifthe database is to be upgraded to meet the needs of one customer, itwill be unavailable to all customers during the upgrade process. Often,such maintenance windows will be long, due to the size of the shareddatabase.

In contrast, the multi-instance architecture provides each customer withits own database in a dedicated computing instance. This preventscomingling of customer data, and allows each instance to beindependently managed. For example, when one customer's instanceexperiences an outage due to errors or an upgrade, other computationalinstances are not impacted. Maintenance down time is limited because thedatabase only contains one customer's data. Further, the simpler designof the multi-instance architecture allows redundant copies of eachcustomer database and instance to be deployed in a geographicallydiverse fashion. This facilitates high availability, where the liveversion of the customer's instance can be moved when faults are detectedor maintenance is being performed.

In order to support multiple computational instances in an efficientfashion, remote network management platform 320 may implement aplurality of these instances on a single hardware platform. For example,when the aPaaS system is implemented on a server cluster such as servercluster 200, it may operate a virtual machine that dedicates varyingamounts of computational, storage, and communication resources toinstances. But full virtualization of server cluster 200 might not benecessary, and other mechanisms may be used to separate instances. Insome examples, each instance may have a dedicated account and one ormore dedicated databases on server cluster 200. Alternatively,computational instance 322 may span multiple physical devices.

In some cases, a single server cluster of remote network managementplatform 320 may support multiple independent enterprises. Furthermore,as described below, remote network management platform 320 may includemultiple server clusters deployed in geographically diverse data centersin order to facilitate load balancing, redundancy, and/or highavailability.

Third-party networks 340 may be remote server devices (e.g., a pluralityof server clusters such as server cluster 200) that can be used foroutsourced computational, data storage, communication, and servicehosting operations. These servers may be virtualized (i.e., the serversmay be virtual machines). Examples of third-party networks 340 mayinclude AMAZON WEB SERVICES® and MICROSOFT® Azure. Like remote networkmanagement platform 320, multiple server clusters supporting third-partynetworks 340 may be deployed at geographically diverse locations forpurposes of load balancing, redundancy, and/or high availability.

Managed network 300 may use one or more of third-party networks 340 todeploy applications and services to its clients and customers. Forinstance, if managed network 300 provides online music streamingservices, third-party networks 340 may store the music files and provideweb interface and streaming capabilities. In this way, the enterprise ofmanaged network 300 does not have to build and maintain its own serversfor these operations.

Remote network management platform 320 may include modules thatintegrate with third-party networks 340 to expose virtual machines andmanaged services therein to managed network 300. The modules may allowusers to request virtual resources and provide flexible reporting forthird-party networks 340. In order to establish this functionality, auser from managed network 300 might first establish an account withthird-party networks 340, and request a set of associated resources.Then, the user may enter the account information into the appropriatemodules of remote network management platform 320. These modules maythen automatically discover the manageable resources in the account, andalso provide reports related to usage, performance, and billing.

Internet 350 may represent a portion of the global Internet. However,Internet 350 may alternatively represent a different type of network,such as a private wide-area or local-area packet-switched network.

FIG. 4 further illustrates the communication environment between managednetwork 300 and computational instance 322, and introduces additionalfeatures and alternative embodiments. In FIG. 4, computational instance322 is replicated across data centers 400A and 400B. These data centersmay be geographically distant from one another, perhaps in differentcities or different countries. Each data center includes supportequipment that facilitates communication with managed network 300, aswell as remote users.

In data center 400A, network traffic to and from external devices flowseither through VPN gateway 402A or firewall 404A. VPN gateway 402A maybe peered with VPN gateway 412 of managed network 300 by way of asecurity protocol such as Internet Protocol Security (IPSEC) orTransport Layer Security (TLS). Firewall 404A may be configured to allowaccess from authorized users, such as user 414 and remote user 416, andto deny access to unauthorized users. By way of firewall 404A, theseusers may access computational instance 322, and possibly othercomputational instances. Load balancer 406A may be used to distributetraffic amongst one or more physical or virtual server devices that hostcomputational instance 322. Load balancer 406A may simplify user accessby hiding the internal configuration of data center 400A, (e.g.,computational instance 322) from client devices. For instance, ifcomputational instance 322 includes multiple physical or virtualcomputing devices that share access to multiple databases, load balancer406A may distribute network traffic and processing tasks across thesecomputing devices and databases so that no one computing device ordatabase is significantly busier than the others. In some embodiments,computational instance 322 may include VPN gateway 402A, firewall 404A,and load balancer 406A.

Data center 400B may include its own versions of the components in datacenter 400A. Thus, VPN gateway 402B, firewall 404B, and load balancer406B may perform the same or similar operations as VPN gateway 402A,firewall 404A, and load balancer 406A, respectively. Further, by way ofreal-time or near-real-time database replication and/or otheroperations, computational instance 322 may exist simultaneously in datacenters 400A and 400B.

Data centers 400A and 400B as shown in FIG. 4 may facilitate redundancyand high availability. In the configuration of FIG. 4, data center 400Ais active and data center 400B is passive. Thus, data center 400A isserving all traffic to and from managed network 300, while the versionof computational instance 322 in data center 400B is being updated innear-real-time. Other configurations, such as one in which both datacenters are active, may be supported.

Should data center 400A fail in some fashion or otherwise becomeunavailable to users, data center 400B can take over as the active datacenter. For example, domain name system (DNS) servers that associate adomain name of computational instance 322 with one or more InternetProtocol (IP) addresses of data center 400A may re-associate the domainname with one or more IP addresses of data center 400B. After thisre-association completes (which may take less than one second or severalseconds), users may access computational instance 322 by way of datacenter 400B.

FIG. 4 also illustrates a possible configuration of managed network 300.As noted above, proxy servers 312 and user 414 may access computationalinstance 322 through firewall 310. Proxy servers 312 may also accessconfiguration items 410. In FIG. 4, configuration items 410 may refer toany or all of client devices 302, server devices 304, routers 306, andvirtual machines 308, any applications or services executing thereon, aswell as relationships between devices, applications, and services. Thus,the term “configuration items” may be shorthand for any physical orvirtual device, or any application or service remotely discoverable ormanaged by computational instance 322, or relationships betweendiscovered devices, applications, and services. Configuration items maybe represented in a configuration management database (CMDB) ofcomputational instance 322.

As noted above, VPN gateway 412 may provide a dedicated VPN to VPNgateway 402A. Such a VPN may be helpful when there is a significantamount of traffic between managed network 300 and computational instance322, or security policies otherwise suggest or require use of a VPNbetween these sites. In some embodiments, any device in managed network300 and/or computational instance 322 that directly communicates via theVPN is assigned a public IP address. Other devices in managed network300 and/or computational instance 322 may be assigned private IPaddresses (e.g., IP addresses selected from the 10.0.0.0-10.255.255.255or 192.168.0.0-192.168.255.255 ranges, represented in shorthand assubnets 10.0.0.0/8 and 192.168.0.0/16, respectively).

IV. Example Device, Application, and Service Discovery

In order for remote network management platform 320 to administer thedevices, applications, and services of managed network 300, remotenetwork management platform 320 may first determine what devices arepresent in managed network 300, the configurations and operationalstatuses of these devices, and the applications and services provided bythe devices, and well as the relationships between discovered devices,applications, and services. As noted above, each device, application,service, and relationship may be referred to as a configuration item.The process of defining configuration items within managed network 300is referred to as discovery, and may be facilitated at least in part byproxy servers 312.

For purpose of the embodiments herein, an “application” may refer to oneor more processes, threads, programs, client modules, server modules, orany other software that executes on a device or group of devices. A“service” may refer to a high-level capability provided by multipleapplications executing on one or more devices working in conjunctionwith one another. For example, a high-level web service may involvemultiple web application server threads executing on one device andaccessing information from a database application that executes onanother device.

FIG. 5A provides a logical depiction of how configuration items can bediscovered, as well as how information related to discoveredconfiguration items can be stored. For sake of simplicity, remotenetwork management platform 320, third-party networks 340, and Internet350 are not shown.

In FIG. 5A, CMDB 500 and task list 502 are stored within computationalinstance 322. Computational instance 322 may transmit discovery commandsto proxy servers 312. In response, proxy servers 312 may transmit probesto various devices, applications, and services in managed network 300.These devices, applications, and services may transmit responses toproxy servers 312, and proxy servers 312 may then provide informationregarding discovered configuration items to CMDB 500 for storagetherein. Configuration items stored in CMDB 500 represent theenvironment of managed network 300.

Task list 502 represents a list of activities that proxy servers 312 areto perform on behalf of computational instance 322. As discovery takesplace, task list 502 is populated. Proxy servers 312 repeatedly querytask list 502, obtain the next task therein, and perform this task untiltask list 502 is empty or another stopping condition has been reached.

To facilitate discovery, proxy servers 312 may be configured withinformation regarding one or more subnets in managed network 300 thatare reachable by way of proxy servers 312. For instance, proxy servers312 may be given the IP address range 192.168.0/24 as a subnet. Then,computational instance 322 may store this information in CMDB 500 andplace tasks in task list 502 for discovery of devices at each of theseaddresses.

FIG. 5A also depicts devices, applications, and services in managednetwork 300 as configuration items 504, 506, 508, 510, and 512. As notedabove, these configuration items represent a set of physical and/orvirtual devices (e.g., client devices, server devices, routers, orvirtual machines), applications executing thereon (e.g., web servers,email servers, databases, or storage arrays), relationshipstherebetween, as well as services that involve multiple individualconfiguration items.

Placing the tasks in task list 502 may trigger or otherwise cause proxyservers 312 to begin discovery. Alternatively or additionally, discoverymay be manually triggered or automatically triggered based on triggeringevents (e.g., discovery may automatically begin once per day at aparticular time).

In general, discovery may proceed in four logical phases: scanning,classification, identification, and exploration. Each phase of discoveryinvolves various types of probe messages being transmitted by proxyservers 312 to one or more devices in managed network 300. The responsesto these probes may be received and processed by proxy servers 312, andrepresentations thereof may be transmitted to CMDB 500. Thus, each phasecan result in more configuration items being discovered and stored inCMDB 500.

In the scanning phase, proxy servers 312 may probe each IP address inthe specified range of IP addresses for open Transmission ControlProtocol (TCP) and/or User Datagram Protocol (UDP) ports to determinethe general type of device. The presence of such open ports at an IPaddress may indicate that a particular application is operating on thedevice that is assigned the IP address, which in turn may identify theoperating system used by the device. For example, if TCP port 135 isopen, then the device is likely executing a WINDOWS® operating system.Similarly, if TCP port 22 is open, then the device is likely executing aUNIX® operating system, such as LINUX®. If UDP port 161 is open, thenthe device may be able to be further identified through the SimpleNetwork Management Protocol (SNMP). Other possibilities exist. Once thepresence of a device at a particular IP address and its open ports havebeen discovered, these configuration items are saved in CMDB 500.

In the classification phase, proxy servers 312 may further probe eachdiscovered device to determine the version of its operating system. Theprobes used for a particular device are based on information gatheredabout the devices during the scanning phase. For example, if a device isfound with TCP port 22 open, a set of UNIX®-specific probes may be used.Likewise, if a device is found with TCP port 135 open, a set ofWINDOWS®-specific probes may be used. For either case, an appropriateset of tasks may be placed in task list 502 for proxy servers 312 tocarry out. These tasks may result in proxy servers 312 logging on, orotherwise accessing information from the particular device. Forinstance, if TCP port 22 is open, proxy servers 312 may be instructed toinitiate a Secure Shell (SSH) connection to the particular device andobtain information about the operating system thereon from particularlocations in the file system. Based on this information, the operatingsystem may be determined. As an example, a UNIX® device with TCP port 22open may be classified as AIX®, HPUX, LINUX®, MACOS®, or SOLARIS®. Thisclassification information may be stored as one or more configurationitems in CMDB 500.

In the identification phase, proxy servers 312 may determine specificdetails about a classified device. The probes used during this phase maybe based on information gathered about the particular devices during theclassification phase. For example, if a device was classified as LINUX®,a set of LINUX®-specific probes may be used. Likewise if a device wasclassified as WINDOWS® 2012, as a set of WINDOWS®-2012-specific probesmay be used. As was the case for the classification phase, anappropriate set of tasks may be placed in task list 502 for proxyservers 312 to carry out. These tasks may result in proxy servers 312reading information from the particular device, such as basicinput/output system (BIOS) information, serial numbers, networkinterface information, media access control address(es) assigned tothese network interface(s), IP address(es) used by the particular deviceand so on. This identification information may be stored as one or moreconfiguration items in CMDB 500.

In the exploration phase, proxy servers 312 may determine furtherdetails about the operational state of a classified device. The probesused during this phase may be based on information gathered about theparticular devices during the classification phase and/or theidentification phase. Again, an appropriate set of tasks may be placedin task list 502 for proxy servers 312 to carry out. These tasks mayresult in proxy servers 312 reading additional information from theparticular device, such as processor information, memory information,lists of running processes (applications), and so on. Once more, thediscovered information may be stored as one or more configuration itemsin CMDB 500.

Running discovery on a network device, such as a router, may utilizeSNMP. Instead of or in addition to determining a list of runningprocesses or other application-related information, discovery maydetermine additional subnets known to the router and the operationalstate of the router's network interfaces (e.g., active, inactive, queuelength, number of packets dropped, etc.). The IP addresses of theadditional subnets may be candidates for further discovery procedures.Thus, discovery may progress iteratively or recursively.

Once discovery completes, a snapshot representation of each discovereddevice, application, and service is available in CMDB 500. For example,after discovery, operating system version, hardware configuration andnetwork configuration details for client devices, server devices, androuters in managed network 300, as well as applications executingthereon, may be stored. This collected information may be presented to auser in various ways to allow the user to view the hardware compositionand operational status of devices, as well as the characteristics ofservices that span multiple devices and applications.

Furthermore, CMDB 500 may include entries regarding dependencies andrelationships between configuration items. More specifically, anapplication that is executing on a particular server device, as well asthe services that rely on this application, may be represented as suchin CMDB 500. For instance, suppose that a database application isexecuting on a server device, and that this database application is usedby a new employee onboarding service as well as a payroll service. Thus,if the server device is taken out of operation for maintenance, it isclear that the employee onboarding service and payroll service will beimpacted. Likewise, the dependencies and relationships betweenconfiguration items may be able to represent the services impacted whena particular router fails.

In general, dependencies and relationships between configuration itemsbe displayed on a web-based interface and represented in a hierarchicalfashion. Thus, adding, changing, or removing such dependencies andrelationships may be accomplished by way of this interface.

Furthermore, users from managed network 300 may develop workflows thatallow certain coordinated activities to take place across multiplediscovered devices. For instance, an IT workflow might allow the user tochange the common administrator password to all discovered LINUX®devices in single operation.

In order for discovery to take place in the manner described above,proxy servers 312, CMDB 500, and/or one or more credential stores may beconfigured with credentials for one or more of the devices to bediscovered. Credentials may include any type of information needed inorder to access the devices. These may include userid/password pairs,certificates, and so on. In some embodiments, these credentials may bestored in encrypted fields of CMDB 500. Proxy servers 312 may containthe decryption key for the credentials so that proxy servers 312 can usethese credentials to log on to or otherwise access devices beingdiscovered.

The discovery process is depicted as a flow chart in FIG. 5B. At block520, the task list in the computational instance is populated, forinstance, with a range of IP addresses. At block 522, the scanning phasetakes place. Thus, the proxy servers probe the IP addresses for devicesusing these IP addresses, and attempt to determine the operating systemsthat are executing on these devices. At block 524, the classificationphase takes place. The proxy servers attempt to determine the operatingsystem version of the discovered devices. At block 526, theidentification phase takes place. The proxy servers attempt to determinethe hardware and/or software configuration of the discovered devices. Atblock 528, the exploration phase takes place. The proxy servers attemptto determine the operational state and applications executing on thediscovered devices. At block 530, further editing of the configurationitems representing the discovered devices and applications may takeplace. This editing may be automated and/or manual in nature.

The blocks represented in FIG. 5B are for purpose of example. Discoverymay be a highly configurable procedure that can have more or fewerphases, and the operations of each phase may vary. In some cases, one ormore phases may be customized, or may otherwise deviate from theexemplary descriptions above.

V. CMDB Identification Rules and Reconciliation

A CMDB, such as CMDB 500, provides a repository of configuration items,and when properly provisioned, can take on a key role in higher-layerapplications deployed within or involving a computational instance.These applications may relate to enterprise IT service management,operations management, asset management, configuration management,compliance, and so on.

For example, an IT service management application may use information inthe CMDB to determine applications and services that may be impacted bya component (e.g., a server device) that has malfunctioned, crashed, oris heavily loaded. Likewise, an asset management application may useinformation in the CMDB to determine which hardware and/or softwarecomponents are being used to support particular enterprise applications.As a consequence of the importance of the CMDB, it is desirable for theinformation stored therein to be accurate, consistent, and up to date.

A CMDB may be populated in various ways. As discussed above, a discoveryprocedure may automatically store information related to configurationitems in the CMDB. However, a CMDB can also be populated, as a whole orin part, by manual entry, configuration files, and third-party datasources. Given that multiple data sources may be able to update the CMDBat any time, it is possible that one data source may overwrite entriesof another data source. Also, two data sources may each create slightlydifferent entries for the same configuration item, resulting in a CMDBcontaining duplicate data. When either of these occurrences takes place,they can cause the health and utility of the CMDB to be reduced.

In order to mitigate this situation, these data sources might not writeconfiguration items directly to the CMDB. Instead, they may write to anidentification and reconciliation application programming interface(API). This API may use a set of configurable identification rules thatcan be used to uniquely identify configuration items and determinewhether and how they are written to the CMDB.

In general, an identification rule specifies a set of configuration itemattributes that can be used for this unique identification.Identification rules may also have priorities so that rules with higherpriorities are considered before rules with lower priorities.Additionally, a rule may be independent, in that the rule identifiesconfiguration items independently of other configuration items.Alternatively, the rule may be dependent, in that the rule first uses ametadata rule to identify a dependent configuration item.

Metadata rules describe which other configuration items are containedwithin a particular configuration item, or the host on which aparticular configuration item is deployed. For example, a networkdirectory service configuration item may contain a domain controllerconfiguration item, while a web server application configuration itemmay be hosted on a server device configuration item.

A goal of each identification rule is to use a combination of attributesthat can unambiguously distinguish a configuration item from all otherconfiguration items, and is expected not to change during the lifetimeof the configuration item. Some possible attributes for an exampleserver device may include serial number, location, operating system,operating system version, memory capacity, and so on. If a rulespecifies attributes that do not uniquely identify the configurationitem, then multiple components may be represented as the sameconfiguration item in the CMDB. Also, if a rule specifies attributesthat change for a particular configuration item, duplicate configurationitems may be created.

Thus, when a data source provides information regarding a configurationitem to the identification and reconciliation API, the API may attemptto match the information with one or more rules. If a match is found,the configuration item is written to the CMDB. If a match is not found,the configuration item may be held for further analysis.

Configuration item reconciliation procedures may be used to ensure thatonly authoritative data sources are allowed to overwrite configurationitem data in the CMDB. This reconciliation may also be rules-based. Forinstance, a reconciliation rule may specify that a particular datasource is authoritative for a particular configuration item type and setof attributes. Then, the identification and reconciliation API will onlypermit this authoritative data source to write to the particularconfiguration item, and writes from unauthorized data sources may beprevented. Thus, the authorized data source becomes the single source oftruth regarding the particular configuration item. In some cases, anunauthorized data source may be allowed to write to a configuration itemif it is creating the configuration item or the attributes to which itis writing are empty.

Additionally, multiple data sources may be authoritative for the sameconfiguration item or attributes thereof. To avoid ambiguities, thesedata sources may be assigned precedences that are taken into accountduring the writing of configuration items. For example, a secondaryauthorized data source may be able to write to a configuration item'sattribute until a primary authorized data source writes to thisattribute. Afterward, further writes to the attribute by the secondaryauthorized data source may be prevented.

In some cases, duplicate configuration items may be automaticallydetected by reconciliation procedures or in another fashion. Theseconfiguration items may be flagged for manual de-duplication.

VI. Example Normalization of Configuration Items Using CanonicalInformation

During each phase of discovery, various modules of computationalinstance 322 may process the responses to the probes sent from proxyservers 312. Such processing may assist in identifying variouscharacteristics of the devices, applications, services, andrelationships represented by the responses. After processing theresponses, the modules may update configuration items stored in the CMDB500 such that these configuration items more accurately represent adevice, application, service, or relationship that is present in themanaged network. Such processing and updating of configuration items maybe referred to as normalization.

As an example of this processing, computational instance 322 may compareinformation received from proxy servers 312 to data stored in anormalization database to determine whether a configuration item iscorrectly identified. This data could be referred to herein as canonicalnormalization information, and may correspond to attributes associatedwith known configuration items such as devices, services, orrelationships that may exist within a managed network. For example, acomputing device may be represented by attributes that include a model,type, and operating system of the computing device. As another example,a software application installed on a computing device may berepresented by attributes that include a name, publisher, edition,version, operating system, and/or a product description of the softwareapplication.

To help ensure that configuration items are consistently identifiedcorrectly, the process of normalization may involve updating identifyinginformation stored in the normalization database for a particularconfiguration item with canonical normalization information thatcorresponds to attributes of that configuration item.

Considering a particular software application that is installed on aclient device of managed network 300, for example, canonicalnormalization information may include information that corresponds toattributes of that software application. To that end, identifyinginformation stored in the database for software application “A” mayspecify that publisher “X” is the publisher for software application A.But canonical normalization information stored in the content librarymay specify that publisher “Y” is the publisher for the softwareapplication A. As a result, based on this canonical normalizationinformation, the system may update the identifying information stored inthe database to instead specify that publisher Y is the publisher forsoftware application A.

In some situations, however, the normalization database may initiallynot include canonical normalization information for a particularsoftware application, and thus normalization information for thissoftware application may be manually entered, such as following a promptdisplayed on a graphical user interface (GUI) of a client device. Afterestablishing normalization information for the particular softwareapplication by way of such manual entry, the normalization database mayeventually be updated to include canonical normalization information forthe particular software application.

Though each attribute of the software application may ultimately benormalized in some scenarios, some of the attributes may remainunidentified in other scenarios.

VII. Example Determination of Software License Information

Generally, normalization may be useful to an enterprise for variousreasons. For example, each client device of an enterprise may be taskedwith performing a set of operations, and accordingly may use acombination of software applications to perform those tasks. While somesuch software applications may be hosted by an aPaaS system, asdescribed above in relation to FIGS. 1 through 4, others may beinstalled on the individual computing, client, and/or server devicesthemselves. Such software is often proprietary, and may be licensed invarious ways.

Regardless of the licensing scheme, the enterprise may attempt to keeptrack of which of its computing, client, and/or server devices use whatlicensed software. To facilitate this, the enterprise may attempt tomaintain accurate software entitlement records, which provideinformation about software license rights held by the enterprise'smanaged network. Such license information may include informationspecific to various software applications. As an example, for a givensoftware application, license information may include a publisher/vendorname for the software application, a publisher part number, a softwaremodel (e.g., a name, version, and/or edition of the softwareapplication), a license metric of the software application (e.g.,whether the software application is licensed per computing device, perprocessor, per processor core, per user, etc.), and/or a licenseduration of the software application. Additionally or alternatively,such license information may include information that representscollective software usage for the managed network, including but notlimited to purchased rights (e.g., number of licenses purchased/held bythe managed network) and/or license metrics for the managed network,among others.

In any case, by maintaining accurate information in its softwareentitlement records—as well as by maintaining accurate identifyinginformation about its software applications, as discussed above—theenterprise can even better track to what degree software usage complieswith software license rights held by the managed network.

Still, tracking software application usage across an entire enterprisemay present challenges. A large enterprise may use thousands of separatecomputing devices, each of which may use a set of software applications.Further, such computing devices may go in and out of service, or requiredifferent software applications over time. Still further, differentversions or builds of each software application may be installed acrossthese computing devices.

Tracking the use of software within an enterprise may be achieved usingan aPaaS system as described above in relation to FIGS. 1 through 5B.Such an aPaaS system may be particularly suited to tracking suchsoftware usage because the aPaaS system may gather information fromcomputing devices in managed networks such as the enterprise. Othertechniques for tracking the use of software within an enterprise arepossible as well.

As will be discussed in more detail below, the embodiments describedherein provide a technical improvement over previous approaches forsoftware asset management, including but not limited to improvements tomaintaining accurate, consistent, and up-to-date identifying informationfor software applications and maintaining accurate, consistent, andup-to-date software entitlement records.

VIII. Example Out-of-Band Delivery of Configuration Data

As noted above, the remote network management platform 320 may providevarious services accessible to users of managed networks (e.g.,enterprises and employees thereof) via computational instances (e.g.,computational instance 322). In particular, these services may beprovided through higher-level applications—also referred to herein as“software modules”—deployed within or involving a computationalinstance, such as computational instance 322. For the purposes ofexample, embodiments described herein involve a one-to-one mapping of asoftware module to a service. That is, any one software module may bedesignated for, and thus enable access to, one particular service.However, it should be understood that, in some scenarios, one softwaremodule may be configured to enable access to multiple differentservices.

An example of such a service may be a software asset management service,which enables an enterprise to determine which hardware and softwarecomponents are being used to support certain enterprise operations.Another example service may be a security operations management service,which enables an enterprise to implement security procedures foravoiding potential security risks, as well as for detecting,identifying, and possibly remedying security threats. Other exampleservices are possible as well, such as policy and compliance management,risk management, audit management, and vendor risk management.

To enable a software module to provide a particular service for whichthe software module is designated, the software module may haveassociated configuration data. This “configuration data” may refer toany data (e.g., source code, executable code, data on which codeoperates, scripts, and/or environment variables) that defines how thesoftware module operates, is accessed, is designed, and/or provides theparticular service. As an example, configuration data for a softwareasset management software module may include hardware attributes,software attributes, canonical normalization information, licenseinformation, or other information that facilitates discovery, softwareentitlement, and/or other operations performed by the enterprise.

As another example, configuration data for a security operationsmanagement software module may include observable indicators ofparticular security threats (e.g., names of security threats, or IPaddresses, URLs, email addresses, etc. that are known or suspected to beassociated with security threats), security policies (e.g., workflowsfor mitigating and/or preventing certain types of security threats),and/or other parameters related to detecting, identifying, and handlingsecurity threats.

As yet another example, configuration data could additionally oralternatively include more general configuration data, such as bug fixesfor the software modules. Other configuration data examples can includeone or more of the following: record-based rules (e.g., rules definingactions that can be performed with respect to a record stored in adatabase), client scripts (e.g., client-side JavaScript that runs in aweb browser), script includes (e.g., server-side scripts that define afunction or class), UI policies (e.g., code or scripts that define howthe behavior of information on a form can change and/or that defineprocess flows for completing tasks), and UI macros (e.g., discrete,custom scripted controls or interfaces that can be added to a UI). Otherexamples of configuration data are possible as well.

Management of the configuration data may occur at a centralcomputational instance—also referred to herein as a central data source(CDS) instance—that is associated with a central network. The centralnetwork may be a different, separate network from any managed network(e.g., managed network 300) that is associated with an enterprise orother customer. For example, the central network may be managed by anentity associated with the remote network management platform 320.Still, the CDS instance can be configured similarly to any of the othercomputational instances described herein. For example, the CDS instancemay have a dedicated central database on one or more server devices, andmay store the configuration data (as well as updates thereto) in thecentral database. Other information may be stored at the centraldatabase as well. Further, in some embodiments, management of theconfiguration data can occur at other computational instances, such asany computational instance developed by the entity associated with theremote network management platform 320.

From time to time, the remote network management platform 320 may updatethe software module, thereby updating the configuration data associatedwith the software module. These updates may be delivered by the remotenetwork management platform 320 (e.g., by the CDS instance) in the formof new software releases for the software module and/or patches to newor previous software releases.

Typically, the remote network management platform 320 may deliver theseupdates at a plurality of release times. One or more of the plurality ofrelease times may be predetermined (e.g., scheduled). For example,updates to the software module may occur at a predetermined frequencyover a predetermined period of time, such as (i) monthly patches for atleast one year, (ii) quarterly patches for at least one year, (iv)monthly patches until a new version of the software is released, and/or(v) monthly patches for six months and quarterly patches thereafter,among other possibilities. Additionally or alternatively, one or more ofthe plurality of release times may be dynamically determined, and mightnot be known by the enterprise (or perhaps even an entity associatedwith the remote network management platform) in advance. For example, insome scenarios, the remote network management platform 320 may require auser to manually navigate to a designated web page and submit a request(e.g., an incident ticket) to schedule an upgrade. In response to therequest, the remote network management platform 320 may responsivelygrant the request and schedule the upgrade at a time dictated by anentity associated with the remote network management platform 320 or atime agreed upon by the user and the entity.

For the purposes of example, a delivery of updates to the softwaremodule (and configuration data associated therewith) that typicallyoccurs at the plurality of release times discussed above may be referredto herein as “in-band” delivery.

However, the remote network management platform 320 may update theconfiguration data associated with the software module more frequentlythan in-band deliveries of updates to the software module occur. Forexample, in-band delivery of releases or patches for the software modulemay occur monthly, yet the remote network management platform 320 mayupdate or otherwise change the configuration data on a daily or weeklybasis, or perhaps at some other times.

As such, existing implementations of in-band delivery of updates tosoftware modules may present a delay between when configuration data isupdated and when users have access to that latest update. There may bevarious reasons for this delay. For example, the remote networkmanagement platform may test a release or patch before authorizingin-band delivery of the release or patch. As another example, if a usersubmits a request to schedule an upgrade, the user may have to wait daysor weeks until the remote network management platform processes therequest, approves the request, and perhaps performs additional actionsrelated to the request (e.g., assigning the request to an agent). Otherfactors may contribute to the delay as well.

In any event, users may be required to wait long periods of time (e.g.,months or longer) until an in-band delivery in order to update thesoftware module with the latest configuration data. This may beparticularly problematic for users whose operations may be helped orimproved by access to the latest configuration data, but whom are unableto access such configuration data as-needed.

For at least these reasons, improved scalability to the process ofdelivering updates to configuration data is desired, as well asincreased efficiency in accessing configuration data on an as-neededbasis.

Accordingly, the present disclosure provides an improved remote networkmanagement platform that supports out-of-band delivery of configurationdata—namely, delivery of configuration data that is made during a timeother than any of the plurality of release times described above. Inparticular, a CDS instance of a remote network management platform maybe configured with program logic to accept and process requests fromother computational instances (e.g., enterprise computational instancesassociated with respective managed networks) for out-of-band delivery ofthe configuration data. These other computational instances—hereafterreferred to as “enterprise computational instances” or, by way ofexample, computational instance 322—may be configured to execute thesoftware module with which the configuration data is associated. Uponacceptance and processing of the requests for out-of-band delivery, theCDS instance may enable the enterprise computational instance to receivethe latest configuration data from the CDS instance's central database.The enterprise computational instance may then write that configurationdata to a local database disposed within the enterprise's computationalinstance. Thereafter, the enterprise computational instance may executethe software module with the configuration data.

The present disclosure therefore improves computer functionality in thatenterprise computational instances can access the latest configurationdata and execute a software module according to that configuration data,thereby enabling the enterprise computational instances to takeadvantage of the latest improvements and other changes made to theconfiguration data with minimal to no delay. The ability to run thelatest software and have as-needed access to the latest configurationdata may in turn enable enterprises to better utilize the remote networkmanagement platform's services. For example, access to the latestcanonical normalization information may improve discovery results for anenterprise, and/or access to the latest security policies may reduce theexposure and impact of security threats on client devices in theenterprise's managed network.

Furthermore, at least part of the disclosed process can be automated,thereby even further reducing delay, and additionally reducing oreliminating efforts taken by the remote network management platform toschedule in-band, or even out-of-band, deliveries of updates toconfiguration data. Moreover, it should be understood that configurationdata that is delivered out-of-band might not be exclusive to out-of-banddeliveries. For example, configuration data that is deliveredout-of-band could be delivered in-band, and vice versa.

These and other improvements are described in more detail below, thoughit should be understood that the operations described below are forpurposes of example. Systems relating to out-of-band delivery ofconfiguration data may provide other improvements as well.

An example of out-of-band delivery of configuration data will now bedescribed with respect to FIG. 6. FIG. 6 depicts yet anothercommunication environment involving a remote network managementarchitecture, in accordance with example embodiments. As shown, CDSinstance 600 includes central database 602. In some embodiments, centraldatabase 602 may be located on one or more server devices (not shown).Further, central database 602 includes a source table with three sourcefields (Source Field 1, Source Field 2, and Source Field 3). Each ofthese source fields may correspond to at least a portion of theconfiguration data for a particular software module.

In other embodiments, central database 602 may include additional tablesand/or more or less source fields. In many of such embodiments, centraldatabase 602 may include many more source fields than those shown inFIG. 6, such as hundreds of source fields. Further, in embodiments wherecentral database 602 includes multiple source tables, some source fieldsmay be present in more than one of such source tables. For example,central database 602 could include three source tables, and Source Field1 may be present in each of the three source tables. Other examples arepossible as well.

In some embodiments, CDS instance 600 may include a scoped application,such as scoped application 604. Such a scoped application may be anapplication customized by an entity associated with the remote networkmanagement platform 320. Further, scoped application 604 may beconfigured to run on CDS instance 600 and may be programmed with logicto receive and process requests for out-of-band delivery of theconfiguration data. In addition, scoped application 604 may haveassociated access rules, perhaps in the form of an access control list(ACL), that define which users (e.g., users with an administrator role)and/or other applications are allowed to access scoped application 604and its data.

In other embodiments, other applications or computing devices could beinstalled or otherwise disposed on CDS instance 600 and could performsome or all of the operations related to receiving and processingrequests for out-of-band delivery.

As further shown in FIG. 6, CDS instance 600 is in communication with arepresentative enterprise computational instance—namely, computationalinstance 322. Computational instance 322 includes local database 606 andsoftware module 608. In the example shown in FIG. 6, the configurationdata stored in the source table at CDS instance 600 includesconfiguration data for software module 608. Further, local database 606includes a destination table with three destination fields (DestinationField 1, Destination Field 2, and Destination Field 3).

In other embodiments, local database 606 may include additional tablesand/or more or less destination fields. In many of such embodiments,local database 606 may include many more destination fields than thoseshown in FIG. 6, such as hundreds of destination fields. Further, inembodiments where local database 606 includes multiple destinationtables, some destination fields may be present in more than one of suchdestination tables. For example, local database 606 could include threedestination tables, and Destination Field 1 may be present in each ofthe three destination tables. Other examples are possible as well.

In some embodiments, computational instance 322 (or any computationalinstance that can request out-of-band delivery of configuration data,for that matter) may include a registry table. For example, localdatabase 606 is shown to include registry table 610. Such a registrytable may contain information identifying one or more source fields ofthe source table in central database 602 and may define a mappingbetween the one or more source fields and corresponding destinationfields of the destination table in local database 606. Computationalinstance 322 can thus refer to the registry table in order to determinewhich source fields correspond to which destination fields, as well aswhat kind of configuration data is associated with each such field. Forexample, suppose that Destination Field 3 is mapped to Source Field 1and computational instance 322 requests out-of-band delivery ofconfiguration data from Source Field 1. Upon receipt of theconfiguration data, computational instance 322 can refer to the mappingdefined by registry table 610 to determine that the configuration datais to be stored at Destination Field 3. Further, such a mapping may beparticularly useful in scenarios where column names in the source tableare different from those in the destination table.

In any event, when changes are made to the source table, such as anaddition of a new column to the source table, the registry table mayneed to be updated to include a mapping of the destination table to thechanged source table (e.g., to the newly added column). Likewise, when asource table is added to the central database, the registry table may beupdated to include a mapping of the destination table to the newly addedsource table. Further, fields in one source table can be split acrossmultiple destination tables, or vice versa.

In some embodiments, the registry table may include or otherwise serveas the destination table, and thus requested configuration data may bestored in the registry table. Alternatively, in other embodiments, theregistry table and the destination table may be separate tables.

In some embodiments, computational instance 322 (or any computationalinstance that can request out-of-band delivery of the configurationdata, for that matter) may include a schedule table. For example, localdatabase 606 is shown to include schedule table 612. Such a scheduletable may contain information defining when computational instance 322will request out-of-band delivery of the configuration data.Computational instance 322 can thus refer to the schedule table in orderto determine a time or frequency at which to request out-of-banddelivery of the configuration data, and then transmit such a request atthat time or frequency. For example, the schedule table may containinformation specifying that the computational instance 322 is to requestout-of-band delivery of the configuration data on a daily basis (e.g.,at the same specified time each day). Additionally or alternatively, theschedule table may contain information specifying other times orfrequencies at which to request out-of-band delivery of theconfiguration data. Such times or frequencies could be predetermined orrandomized. For example, out-of-band deliveries of configurationinformation may be configured to be regulated weekly, such as on Sundayat 1:00 am of the time zone in which computational instance 322 residesor of the time zone of the entity computational instance 322 serves. Inother embodiments, computational instance 322 (e.g., one or morecomputing devices disposed thereon) may be configured to determine whento request out-of-band delivery of the configuration data in anothermanner, other than using a schedule table.

In some embodiments, the registry table and/or the schedule table may beaccessible to and/or managed by only authorized parties, such as a userassociated with the enterprise (e.g., an administrator employed by theenterprise), an application developer certified by the entity associatedwith the remote network management platform 320, and/or other parties.Each such party may have various degrees of authorization, including butnot limited to the authority to view the registry table and/or theschedule table, populate the registry table and/or the schedule tablewith information, and/or update the registry table when changes are madeto the source table or when a new source table is added, among otherpossibilities.

With the architecture shown in FIG. 6, when an enterprise seeks toinitiate an out-of-band delivery of the configuration data,computational instance 322 may determine one or more source fields ofthe source table, where the source field(s) contain the configurationdata for which the enterprise will request out-of-band delivery. Thisact of determining one or more source fields may involve computationalinstance 322 receiving, from the enterprise, user input representing aselection of configuration data for which computational instance 322will request out-of-band delivery. Because the selected configurationdata corresponds to one or more of the source fields present in thesource table of central database 602 and identified by registry table610, selecting the configuration data acts as a determination of one ormore source fields.

As an example, the enterprise may access a web-portal or softwareapplication through which the remote network management platform 320provides a GUI that includes a catalog of types of configuration dataand enables the enterprise to select the configuration data. If softwaremodule 608 is a software asset management software module, for instance,the enterprise may select the entirety of software asset managementconfiguration data stored at central database 602. Alternatively, theenterprise could select a subset of the software asset managementconfiguration data stored at central database 602, such as a subset ofthe configuration data that is updated more frequently than othersoftware asset management configuration data outside of the subset. Theenterprise may select other portions or entireties of configuration datarelated to other software modules as well.

Further, as a more particular example, the remote network managementplatform 320 may enable the enterprise to subscribe to out-of-banddelivery of certain types of configuration data. For example, ifsoftware module 608 is a software asset management software module, theenterprise may subscribe to out-of-band delivery of at least a portionof software asset management configuration data stored at centraldatabase 602. Once subscribed, the remote network management platform320 may enable such configuration data to be delivered out-of-band tocomputational instance 322.

In some embodiments, when any amount of the configuration data forsoftware module 608 is selected (e.g., subscribed to)—be it a subset ofthe configuration data for software module 608 or the entirety of theconfiguration data for software module 608—this may cause schedule table612 to be populated with a time, time period, frequency, etc. accordingto which computational instance 322 will transmit requests for theout-of-band-delivery.

After selecting the configuration data to be delivered out-of-band,computational instance 322 may transmit a request for an out-of-banddelivery of the configuration data. The act of transmitting the requestmay take various forms. For example, computational instance 322 maytransmit a single request message or series of request messages to CDSinstance 600 (e.g., to a computing device of CDS instance 600 runningscoped application 604). In scenarios where only a single requestmessage is transmitted, the request message may include identifier ofall the source fields having the selected configuration data. On theother hand, in scenarios where a series of request messages aretransmitted, each such request message may include identifiers of thesource fields having the selected configuration data. In someembodiments, the request message(s) may take the form of arepresentational state transfer (REST) API call or series of REST APIcalls.

Referring to FIG. 6, to receive an out-of-band delivery of configurationdata, computational instance 322 may transmit a request messageincluding an identifier of Source Field 1.

In scenarios where schedule table 612 defines a time at whichcomputational instance 322 is to transmit the request, the act oftransmitting the request may involve doing so (e.g., transmit a requestmessage, or begin transmitting a series of request messages) at thattime. Further, in scenarios where schedule table 612 defines a frequencyat which to transmit requests for out-of-band delivery of theconfiguration data, the act of transmitting the request may involvetransmitting requests for the out-of-band delivery of the configurationdata to occur at that frequency (e.g., transmit a request every day at1:00 am).

In any event, upon receipt of a request message or messages, CDSinstance 600 may in turn transmit another request message or series ofrequest to a server device or other type of computing device on whichcentral database 602 is located, in order to obtain the requestedconfiguration data from the source table. CDS instance 600 may thentransmit the configuration data to computational instance 322, eitherall at once or in batches. For example, CDS instance 600 may transmitthe configuration data in batches of five thousand (e.g., five thousandindividual units of executable code, scripts, or other data). Theconfiguration data can be transmitted in various forms, such as in oneor more JavaScript Object Notation (JSON) arrays.

Upon receipt of the configuration data, computational instance 322 maywrite the configuration data to whichever destination field(s) in localdatabase 606 are mapped to the source field(s) from which theconfiguration data was received. Referring to FIG. 6, for example,computational instance 322 may receive configuration data from SourceField 1. Computational instance 322 may refer to registry table 610 todetermine that Source Field 1 is mapped to Destination Field 3. Inresponse to this determination, computational instance 322 may write theconfiguration data from Source Field 1 to Destination Field 3.

Furthermore, if the received configuration data includes updates toprevious versions of configuration data that is already stored in localdatabase 606, computational instance 322 may update the previousversions with the newly-received configuration data, and if theconfiguration data includes new configuration data for which there areno previous versions in local database 606, computational instance 322may create new fields in local database 606 that correspond to the newconfiguration data.

In some embodiments, in order to update registry table 610 with newfields, mappings, etc., such updates may be included as part of theconfiguration data stored at central database 602. Thus, whencomputational instance 322 receives configuration data including suchupdates, this may trigger registry table 610 to be updated.

Once the configuration data has been delivered and stored in localdatabase 606, software module 608 may then be executed in accordancewith that configuration data. In some embodiments, once theconfiguration has been delivered and stored, computational instance 322may require, or give the option for, the enterprise (e.g., an individualwith administrator privileges, or a certified application developer) toview and approve the configuration data before software module 608 canbe executed. This may help the enterprise avoid processing any unwantedconfiguration data, such as configuration data that the enterprise mayhave obtained by mistake, or perhaps configuration data that theenterprise suspects could cause problems if processed.

In some embodiments, CDS instance 600 may enable an enterprise to opt-infor transmitting certain information to CDS instance 600, particularlyinformation that may in turn enable the remote network managementplatform 320 to provide to the enterprise or other enterprises, in asubsequent out-of-band delivery, configuration data that the enterpriseneeds.

As an example, if the enterprise is lacking canonical normalizationinformation for attributes of a particular software applicationinstalled on one or more client devices of managed network 300, CDSinstance 600 may enable computational instance 322 to transmit suchattributes to CDS instance 600. The remote network management platform320 (e.g., an employee or other user associated with the entity thatcontrols the remote network management platform) may then create orgather canonical normalization information corresponding for thoseattributes and include the canonical normalization information in anout-of-band delivery of configuration data to computational instance322. Other examples are possible as well.

As another example, if one or more enterprises deploy a new softwareapplication, there may be no canonical normalization information forthat software application. The enterprise(s) may indicate this to CDSinstance 600, and then CDS instance 600 may be used to create thecanonical normalization information for the software application. (Thismay also benefit all enterprises using the remote network managementplatform 320, since all enterprises may then have access to thecanonical normalization information created for that softwareapplication.)

In these and other situations, the ability for the enterprise to opt-infor transmitting information to CDS instance 600 in this manner may bebeneficial in that it notifies the remote network management platform320 when the enterprise needs certain information and enables the remotenetwork management platform 320 to efficiently provide the enterprisewith the information the enterprise needs, thereby enabling theenterprise to better perform its operations. To more quickly provide theenterprise with needed information, the information may be included inout-of-band deliveries of configuration data. However, in somesituations, the information could additionally or alternatively beincluded in in-band deliveries of configuration data.

To facilitate this, scoped application 604 may be further programmedwith logic to receive such information from computational instance 322.Further, the remote network management platform 320 may provide aweb-portal or software application through which the enterprise canselect which information the enterprise will approve for transmission toCDS instance 600, such as a software application providing, forcomputational instance 322, a settings menu including the option toopt-in for transmission of select information. The selection can be madewith varying granularity. For example, a selection can be made toapprove transmission of all attributes of all software applicationsinstalled on client devices in managed network 300 for whichcomputational instance 322 is unable to find corresponding canonicalnormalization information. As another example, the selection can be madeto approve transmission of only a portion of attributes of all suchsoftware applications. As yet another example, the selection can be madeto approve transmission of some or all attributes of only one or moresoftware applications. Other examples are possible as well.

In response to a selection and approval of a particular type ofinformation, computational instance 322 may be configured to gather andstore, in registry table 610 or another location in local database 606,that type of information. Computational instance 322 may then transmitthe information to CDS instance 600, which CDS instance 600 may thenstore in central database 602. In some embodiments, CDS instance 600 mayinclude, in central database 602 or in a separate database, a “staging”table configured to store information received from computationalinstance 322. In some embodiments, computational instance 322 may havestored, at schedule table 612 or in another form, data indicative of howoften (e.g., a time or frequency) to transmit the information to CDSinstance 600. For example, computational instance 322 may transmit theinformation to CDS instance 600 on a weekly basis. In some embodiments,a web-portal or software application may enable the enterprise and/orthe entity associated with the remote network management platform 320 tochange how often the information is transmitted.

An example of this process is shown in FIG. 7. FIG. 7 depicts anothercommunication environment involving the remote network managementarchitecture of FIG. 6, but with different communication occurringbetween computational instance 322 and CDS instance 600. As shown,computational instance 322 may transmit approved software applicationattributes from registry table 610 to CDS instance 600.

In some embodiments, once information is approved for transmission toCDS instance 600, computational instance 322 may be configured totransmit, and CDS instance 600 may be configured to receive, theinformation at various times. These times may be set by the enterpriseor by another entity (e.g., by the entity controlling the remote networkmanagement platform 320). For example, the enterprise may select (e.g.,via a web-portal or software application) to transmit approvedinformation at a particular frequency (e.g., daily or weekly).Alternatively, in response to approval of certain information,computational instance 322 may be automatically configured to transmitthe information at a particular frequency. Other examples are possibleas well.

In some embodiments, the selected and approved information may betransmitted to CDS instance 600 anonymously—namely, without transmittingany information that identifies the enterprise and/or a user associatedtherewith, such as an identifier of computational instance 322 or a useraccount number.

In some embodiments, scoped application 604 may be further programmed torandomly reject information received from a computational instance. Thismay help provide anonymity for the enterprises associated with theinformation transmitted from their respective computational instances.

Various types of information can be transmitted to CDS instance 600 inthe manner discussed above. As noted above, computational instance 322may determine attributes of at least one software application installedon at least some client devices of managed network 300, and determinethat the attributes are approved by the enterprise for transmission toCDS instance 600 (e.g., by receiving user input representing selectionof the attributes). In response to determining that the attributes areapproved by the enterprise, computational instance 322 may transmit theattributes to CDS instance 600. Such attributes may include any one ormore of the attributes described above, such as a name of the at leastone software application, a version of the at least one softwareapplication, and/or a vendor of the at least one software application.

As further noted above, the approved attributes may, in some situations,include attributes for which computational instance 322 is unable tofind corresponding canonical normalization information. In thesesituations, computational instance 322 may transmit a discovery modelthat indicates, in the form of a JSON array, attributes for which nocorresponding canonical normalization information was found.Computational instance 322 could transmit such attributes in other formsas well. In response to receiving such attributes, the remote networkmanagement platform 320 may include the corresponding canonicalnormalization information for the attributes in the source table so thatthe corresponding canonical normalization information can be included ina subsequent out-of-band delivery of configuration data to computationalinstance 322.

In some embodiments, computational instance 322 may be configured toreport to CDS instance 600 statistics associated with the configurationdata the enterprise has downloaded, such as which configuration data isin use by the enterprise and which configuration data has beendownloaded, but not in use, among other possible statistics. Forexample, in such embodiments, computational instance 322 may transmit,in the discovery model or in another form, along with the attributes forwhich the enterprise does not have corresponding canonical normalizationinformation, attributes for which the enterprise has correspondingcanonical normalization information, so as to inform CDS instance 600 ofwhich canonical normalization information is in use by the enterprise,or for other reasons.

As discussed above, the ability to maintain accurate identifyinginformation about the enterprise's software applications and accurateinformation in the enterprise's software entitlement records may enablethe enterprise to track to what degree software usage complies withsoftware license rights held by managed network 300. As such, in someembodiments, the approved attributes may include license information forat least one software application installed on client devices of managednetwork 300. The license information may include at least a portion ofthe information described above, such as license metrics and licensedurations.

In some situations, when the enterprise is entering license informationfor a particular software application, the enterprise may encounter anerror notifying the enterprise that a publisher part number has not beenfound for the software application. In particular, such an error may beindicated in response to computational instance 322 determining that acontent library of the aPaaS system (e.g., a database specifying variouspublisher part numbers) does not contain a particular publisher partnumber inputted during an attempt by the enterprise to enter the licenseinformation for the software application. In such situations,computational instance 322 may store an indication that the particularpublisher part number is needed for that software application, and thelicense information transmitted to CDS instance 600 may include anindication that a publisher part number is missing for the softwareapplication. Based on the license information included in thetransmission for the software application (e.g., a name and/or versionof the software application), or perhaps based on other information, theremote network management platform 320 may determine the publisher partnumber and include the publisher part number the source table so thatthe publisher part number can be included in a subsequent out-of-banddelivery of configuration data to computational instance 322.

In some embodiments, the approved information transmitted to CDSinstance 600 may include information related to security operations. Forexample, if managed network 300 encounters a security threat for whichthe enterprise does not have an associated workflow for preventing,computational instance 322 may store and then transmit, to CDS instance600, information identifying the security threat. The enterprise maythen later receive, in an out-of-band delivery of configuration data, arepresentation of the workflow for preventing the security threat. Otherexamples are possible as well.

In some embodiments, scoped application 604 (or another application orcomputing device) may be configured to determine whether particularinformation associated with computational instance 322 meets certainpredefined criteria before scoped application 604 enables configurationdata to be delivered out-of-band to computational instance 322 and/orbefore scoped application 604 enables approved information to bereceived from computational instance 322. To facilitate this, centraldatabase 602 may include information associated with computationalinstance 322, such as existing configuration data associated withcomputational instance 322. This information may take various forms. Forexample, this information may include a respective software releaseversion of one or more software modules installed on computationalinstance 322. Additionally or alternatively, this information mayinclude other attributes of computational instance 322, and/or perhapsattributes of client devices of managed network 300.

In an example embodiment, at some point in time before enablingcomputational instance 322 to receive at least a portion of theconfiguration data associated with software module 608 in accordancewith a request for out-of-band delivery, CDS instance 600 may refer tocentral database 602 to determine which software release version ofsoftware module 608 computational instance 322 has installed. Inresponse to the determination being that computational instance hasinstalled the most-recent software release of software module 608, CDSinstance 600 may enable computational instance 322 to receive at least aportion of the configuration data associated with software module 608.In this and other situations, the remote network management platform 320can learn of how computational instance 322 and/or other applications,devices, etc. associated with an enterprise is configured beforeallowing the enterprise to receive certain configuration data. This maybe particularly useful in scenarios where receipt and execution ofcertain configuration data could cause problems for the enterprise. Forexample, if computational instance 322 is running a software releaseversion of software module 608 that is much older (e.g., two years old)than the current software release version of software module 608,receipt and execution of certain configuration data may cause users toexperience errors when executing software module 608. Further, this maybe useful in a scenario in which a schema of the destination table ofcomputational instance 322 differs from the schema of the source tableof CDS instance 600, which, if not corrected, could result in certaindownloaded configuration data not being stored.

IX. Example Operations

FIG. 8 depicts a flow chart illustrating an example embodiment. Theprocess illustrated by FIG. 8 is described as carried out by a computingdevice (e.g., computing device 100) disposed within a computationalinstance of a remote network management platform (e.g., computationalinstance 322 of remote network management platform 320). Additionally oralternatively, this process could be carried out by another computingdevice, another a computational instance, or perhaps by a cluster ofcomputing devices (e.g., server cluster 200). However, the process canbe carried out by other types of devices or device subsystems. Forexample, the process could be carried out by a portable computer, suchas a laptop or a tablet device.

The embodiment of FIG. 8 may be simplified by the removal of any one ormore of the features shown therein. Further, this embodiment may becombined with features, aspects, and/or implementations of any of theprevious figures or otherwise described herein.

In FIG. 8, block 800 involves determining, by a computing devicedisposed within a particular computational instance of a remote networkmanagement platform, one or more source fields of a source table withina central database of a central computational instance of the remotenetwork management platform, the one or more source fields containingconfiguration data for a software module. The software module, whenexecuted, may enable access to a software management service provided bythe remote network management platform. The central computationalinstance may be configured to deliver updates to the software module,including updates to the configuration data, at a plurality of releasetimes. The particular computational instance may be one of a pluralityof computational instances of the remote network management platformthat are associated with respective managed networks and configured toexecute the software module. A local database may be disposed within theparticular computational instance.

Block 802 involves transmitting, by the computing device, a request foran out-of-band delivery of the configuration data contained in the oneor more source fields. The out-of-band delivery may be made during atime other than any of the plurality of release times.

Block 804 involves determining, by the computing device, one or moredestination fields of a destination table within the local database ofthe particular computational instance.

Block 806 involves receiving, by the computing device, the configurationdata from the one or more source fields and writing the configurationdata to the one or more destination fields.

Block 808 involves executing, by the computing device, the softwaremodule in accordance with the configuration data stored in the one ormore destination fields.

In some embodiments, the managed network associated with the particularcomputational instance is controlled by an entity. In such embodiments,the computing device may determine attributes of at least one softwareapplication installed on at least some client devices of the managednetwork, determine that the attributes are approved by the entity fortransmission to the central computational instance, and in response todetermining that the attributes are approved by the entity, transmit theattributes to the central computational instance.

In such embodiments, the computing device may be configured to identifysoftware applications installed on client devices of the managed networkusing canonical normalization information that respectively correspondsto attributes of the software applications. The attributes of the atleast one software application may comprise attributes for which thecomputing device is unable to find corresponding canonical normalizationinformation. The attributes of the at least one software application maycomprise one or more of: a name of the at least one softwareapplication, a version of the at least one software application, or avendor of the at least one software application. In such embodiments,the out-of-band delivery of the configuration data may include thecorresponding canonical normalization information for the attributes ofthe at least one software application.

In such embodiments, the attributes may comprise license information forthe at least one software application. The license information maycomprise one or more of: a name of the at least one softwareapplication, a version of the at least one software application, apublisher of the at least one software application, a license metric ofthe at least one software application, or a license duration of the atleast one software application.

In such embodiments, the act of transmitting the attributes to thecentral computational instance may involve transmitting the attributesto the central computational instance without transmitting informationidentifying the entity.

In some embodiments, the central computational instance may beassociated with a central network different from the managed networks.

In some embodiments, the act of transmitting the request for theout-of-band delivery of the configuration data may involve transmittinga request for the out-of-band delivery of the configuration data tooccur at a frequency. In such embodiments, the acts of receiving andwriting the configuration data may be performed at the frequency.

In some embodiments, the local database may contain a registry tableidentifying the one or more source fields of the source table and maydefine a mapping between the one or more source fields and correspondingdestination fields of the destination table. In such embodiments, theact of determining the one or more destination fields of the sourcetable may involve referring to the registry table to determine the oneor more destination fields of the destination table that are mapped tothe one or more source fields.

In some embodiments, the central computational instance may beconfigured to refer to existing configuration data related to theparticular computational instance and, in response to the existingconfiguration data related to the particular computational instancemeeting predefined criteria, enable the computing device to receive theconfiguration data. In such embodiments, the existing configuration datarelated to the particular computational instance may be stored in thecentral database. In such embodiments, the act of referring to theexisting configuration data related to the particular computationalinstance may involve referring to the central database to determine asoftware release version of the software module that the particularcomputational instance is executing. In such embodiments, the act ofenabling the computing device to receive the configuration data inresponse to the existing configuration data related to the particularcomputational instance meeting the predefined criteria may involveenabling the computing device to receive the configuration data inresponse to the software release version of the software module being amost-recent software release version associated with the remote networkmanagement platform.

In some embodiments, a scoped application, customized by an entityassociated with the remote network management platform, may beconfigured to run on the central computational instance and receive andprocess requests for the out-of-band delivery of the configuration data.

X. Conclusion

The present disclosure is not to be limited in terms of the particularembodiments described in this application, which are intended asillustrations of various aspects. Many modifications and variations canbe made without departing from its scope, as will be apparent to thoseskilled in the art. Functionally equivalent methods and apparatuseswithin the scope of the disclosure, in addition to those describedherein, will be apparent to those skilled in the art from the foregoingdescriptions. Such modifications and variations are intended to fallwithin the scope of the appended claims.

The above detailed description describes various features and operationsof the disclosed systems, devices, and methods with reference to theaccompanying figures. The example embodiments described herein and inthe figures are not meant to be limiting. Other embodiments can beutilized, and other changes can be made, without departing from thescope of the subject matter presented herein. It will be readilyunderstood that the aspects of the present disclosure, as generallydescribed herein, and illustrated in the figures, can be arranged,substituted, combined, separated, and designed in a wide variety ofdifferent configurations.

With respect to any or all of the message flow diagrams, scenarios, andflow charts in the figures and as discussed herein, each step, block,and/or communication can represent a processing of information and/or atransmission of information in accordance with example embodiments.Alternative embodiments are included within the scope of these exampleembodiments. In these alternative embodiments, for example, operationsdescribed as steps, blocks, transmissions, communications, requests,responses, and/or messages can be executed out of order from that shownor discussed, including substantially concurrently or in reverse order,depending on the functionality involved. Further, more or fewer blocksand/or operations can be used with any of the message flow diagrams,scenarios, and flow charts discussed herein, and these message flowdiagrams, scenarios, and flow charts can be combined with one another,in part or in whole.

A step or block that represents a processing of information cancorrespond to circuitry that can be configured to perform the specificlogical functions of a herein-described method or technique.Alternatively or additionally, a step or block that represents aprocessing of information can correspond to a module, a segment, or aportion of program code (including related data). The program code caninclude one or more instructions executable by a processor forimplementing specific logical operations or actions in the method ortechnique. The program code and/or related data can be stored on anytype of computer readable medium such as a storage device including RAM,a disk drive, a solid state drive, or another storage medium.

The computer readable medium can also include non-transitory computerreadable media such as computer readable media that store data for shortperiods of time like register memory and processor cache. The computerreadable media can further include non-transitory computer readablemedia that store program code and/or data for longer periods of time.Thus, the computer readable media may include secondary or persistentlong term storage, like ROM, optical or magnetic disks, solid statedrives, compact-disc read only memory (CD-ROM), for example. Thecomputer readable media can also be any other volatile or non-volatilestorage systems. A computer readable medium can be considered a computerreadable storage medium, for example, or a tangible storage device.

Moreover, a step or block that represents one or more informationtransmissions can correspond to information transmissions betweensoftware and/or hardware modules in the same physical device. However,other information transmissions can be between software modules and/orhardware modules in different physical devices.

The particular arrangements shown in the figures should not be viewed aslimiting. It should be understood that other embodiments can includemore or less of each element shown in a given figure. Further, some ofthe illustrated elements can be combined or omitted. Yet further, anexample embodiment can include elements that are not illustrated in thefigures.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purpose ofillustration and are not intended to be limiting, with the true scopebeing indicated by the following claims.

What is claimed is:
 1. A remote network management platform comprising:a central computational instance, wherein the central computationalinstance is a cloud-based application platform as a service (aPaaS)system containing, in a central configuration management database(CMDB), configuration data for a software module that, when executed,enables access to a software management service provided by the remotenetwork management platform, wherein the central computational instanceis configured to deliver updates to the software module, includingupdates to the configuration data, at a plurality of release times; anda plurality of customer computational instances, each of which isassociated with a respective managed network and configured to executethe software module using one or more servers of the respective customercomputational instance, wherein a particular customer computationalinstance of the plurality of customer computational instances includes aparticular local CMDB, and wherein a computing device associated withthe particular computational instance is configured to: determine one ormore source fields of a source table within the central CMDB of thecentral computational instance, the one or more source fields containingthe configuration data; transmit a request for an out-of-band deliveryof the configuration data contained in the one or more source fields,wherein the out-of-band delivery is to be made during a time other thanany of the plurality of release times; determine one or more destinationfields of a destination table within the particular local CMDB of theparticular customer computational instance; receive the configurationdata from the one or more source fields and write the configuration datato the one or more destination fields; and execute the software modulein accordance with the configuration data stored in the one or moredestination fields.
 2. The remote network management platform of claim1, wherein the managed network associated with the particular customercomputational instance is controlled by an entity, wherein the computingdevice is configured to: determine attributes of at least one softwareapplication installed on at least some client devices of the managednetwork; determine that the attributes are approved by the entity fortransmission to the central computational instance; and in response todetermining that the attributes are approved by the entity, transmit theattributes to the central computational instance.
 3. The remote networkmanagement platform of claim 2, wherein the computing device isconfigured to identify software applications installed on client devicesof the managed network using canonical normalization information thatrespectively corresponds to attributes of the software applications,wherein the attributes of the at least one software application compriseattributes for which the computing device is unable to findcorresponding canonical normalization information, and wherein theattributes of the at least one software application comprise one or moreof: a name of the at least one software application, a version of the atleast one software application, or a vendor of the at least one softwareapplication.
 4. The remote network management platform of claim 3,wherein the out-of-band delivery of the configuration data includes thecorresponding canonical normalization information for the attributes ofthe at least one software application.
 5. The remote network managementplatform of claim 2, wherein the attributes comprise license informationfor the at least one software application, and wherein the licenseinformation comprises one or more of: a name of the at least onesoftware application, a version of the at least one softwareapplication, a publisher of the at least one software application, alicense metric of the at least one software application, or a licenseduration of the at least one software application.
 6. The remote networkmanagement platform of claim 2, wherein transmitting the attributes tothe central computational instance comprises transmitting the attributesto the central computational instance without transmitting informationidentifying the entity.
 7. The remote network management platform ofclaim 1, wherein the central computational instance is associated with acentral network different from the managed networks.
 8. The remotenetwork management platform of claim 1, wherein transmitting the requestfor the out-of-band delivery of the configuration data comprisestransmitting a request for the out-of-band delivery of the configurationdata to occur at a frequency, and wherein receiving and writing theconfiguration data are performed at the frequency.
 9. The remote networkmanagement platform of claim 1, wherein the particular local CMDBcontains a registry table identifying the one or more source fields ofthe source table and defining a mapping between the one or more sourcefields and corresponding destination fields of the destination table,and wherein determining the one or more destination fields of the sourcetable comprises referring to the registry table to determine the one ormore destination fields of the destination table that are mapped to theone or more source fields.
 10. The remote network management platform ofclaim 1, wherein the central computational instance is configured torefer to existing configuration data related to the particular customercomputational instance and, in response to the existing configurationdata related to the particular customer computational instance meetingpredefined criteria, enable the computing device to receive theconfiguration data, wherein the existing configuration data related tothe particular customer computational instance is stored in the centralCMDB.
 11. The remote network management platform of claim 10, whereinreferring to the existing configuration data related to the particularcustomer computational instance comprises referring to the central CMDBto determine a software release version of the software module that theparticular customer computational instance is executing, whereinenabling the computing device to receive the configuration data inresponse to the existing configuration data related to the particularcomputational instance meeting the predefined criteria comprisesenabling the computing device to receive the configuration data inresponse to the software release version of the software module being amost-recent software release version associated with the remote networkmanagement platform.
 12. The remote network management platform of claim1, wherein a scoped application, customized by an entity associated withthe remote network management platform, is configured to run on thecentral computational instance and receive and process requests for theout-of-band delivery of the configuration data.
 13. Acomputer-implemented method comprising: determining, by a computingdevice associated with a particular customer computational instance of aremote network management platform, one or more source fields of asource table within a central configuration management database (CMDB)of a central computational instance of the remote network managementplatform, the one or more source fields containing configuration datafor a software module, wherein the software module, when executed,enables access to a software management service provided by the remotenetwork management platform, wherein the central computational instanceis configured to deliver updates to the software module, includingupdates to the configuration data, at a plurality of release times,wherein the particular customer computational instance is one of aplurality of computational instances of the remote network managementplatform that are associated with respective managed networks andconfigured to execute the software module, and wherein a local CMDBassociated with the particular customer computational instance isdisposed within the particular computational instance; transmitting, bythe computing device, a request for an out-of-band delivery of theconfiguration data contained in the one or more source fields, whereinthe out-of-band delivery is to be made during a time other than any ofthe plurality of release times; determining, by the computing device,one or more destination fields of a destination table within the localCMDB; receiving, by the computing device, the configuration data fromthe one or more source fields and writing the configuration data to theone or more destination fields; and executing, by the computing device,the software module in accordance with the configuration data stored inthe one or more destination fields.
 14. The method of claim 13, whereinthe managed network associated with the particular customercomputational instance is controlled by an entity, the methodcomprising: determining, by the computing device, attributes of at leastone software application installed on at least some client devices ofthe managed network; determining, by the computing device, that theattributes are approved by the entity for transmission to the centralcomputational instance; and in response to determining that theattributes are approved by the entity, transmitting, by the computingdevice, the attributes to the central computational instance.
 15. Themethod of claim 14, wherein the computing device is configured toidentify software applications installed on client devices of themanaged network using canonical normalization information thatrespectively corresponds to attributes of the software applications,wherein the attributes of the at least one software application compriseattributes for which the computing device is unable to findcorresponding canonical normalization information, and wherein theattributes of the at least one software application comprise one or moreof: a name of the at least one software application, a version of the atleast one software application, or a vendor of the at least one softwareapplication.
 16. The method of claim 15, wherein the out-of-banddelivery of the configuration data includes the corresponding canonicalnormalization information for the attributes of the at least onesoftware application.
 17. The method of claim 14, wherein the attributescomprise license information for the at least one software application,and wherein the license information comprises one or more of: a name ofthe at least one software application, a version of the at least onesoftware application, a publisher of the at least one softwareapplication, a license metric of the at least one software application,or a license duration of the at least one software application.
 18. Themethod of claim 14, wherein transmitting the attributes to the centralcomputational instance comprises transmitting the attributes to thecentral computational instance without transmitting informationidentifying the entity.
 19. The method of claim 13, wherein the localCMDB contains a registry table identifying the one or more source fieldsof the source table and defining a mapping between the one or moresource fields and corresponding destination fields of the destinationtable, and wherein determining the one or more destination fields of thesource table comprises referring to the registry table to determine theone or more destination fields of the destination table that are mappedto the one or more source fields.
 20. An article of manufactureincluding a non-transitory computer-readable medium, having storedthereon program instructions that, upon execution by a computing deviceassociated with a particular customer computational instance of a remotenetwork management platform, cause the computing device to performoperations comprising: determining one or more source fields of a sourcetable within a central configuration management database (CMDB) of acentral computational instance of the remote network managementplatform, the one or more source fields containing configuration datafor a software module, wherein the software module, when executed,enables access to a software management service provided by the remotenetwork management platform, wherein the central computational instanceis configured to deliver updates to the software module, includingupdates to the configuration data, at a plurality of release times,wherein the particular customer computational instance is one of aplurality of customer computational instances of the remote networkmanagement platform that are associated with respective managed networksand configured to execute the software module, and wherein a local CMDBdatabase is disposed within the particular computational instance;transmitting a request for an out-of-band delivery of the configurationdata stored in the one or more source fields, wherein the out-of-banddelivery is to be made during a time other than any of the plurality ofrelease times; determining one or more destination fields of adestination table within the local CMDB of the particular customercomputational instance; receiving the configuration data from the one ormore source fields and writing the configuration data to the one or moredestination fields; and executing the software module in accordance withthe configuration data stored in the one or more destination fields.